These enterprise systems at the source of the flaw can cost into the tens of thousands of dollars per unit. The researcher who discovered the flaw disclosed it on his blog after his three weekly requests for an update have "gone ignored."

The flaw involves a hidden administrative account that isn't disclosed. There may be concerns that HP could, in theory, access corporate and user data, the researcher noted, but warned that the SHA1 password can easily be brute forced in plain text by hackers.

Now that the SHA1-hashed password has been published, anyone can potentially crack it and access systems with this "hidden" administrative account. It's not clear at the time of writing whether anyone has yet, however.

An HP spokesperson added in its statement, which seemed to suggest that the computer maker itself had discovered the flaw, that it "identified a potential security issue with older HP StoreOnce models." HP said that it does not affect systems with current version 3.0 software, "including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings."

The researcher noted that HP, which counts itself as a member of the Zero Day Initiative — a group that pays security researchers bounties for submitting security flaws — is "somewhat immune to" the philosophy that vulnerabilities should be disclosed.

HP has now disclosed the flaw in a public disclosure note, as of Wednesday, and a software patch will be issued on July 7 to "disable the undocumented HP Support user account."

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.